Server Security
Table of Contents
Follow Symbolic Link | Check Symbolic Link | Force Strict Ownership Checking | Required Permission Mask | Restricted Permission Mask | Script Restricted Permission Mask | Script Directory Restricted Permission Mask
Static Requests/Second | Dynamic Requests/Second | Outbound Bandwidth (bytes/sec) | Inbound Bandwidth (bytes/sec) | Connection Soft Limit | Connection Hard Limit | Block Bad Request | Grace Period (sec) | Banned Period (sec)
CGI Daemon Socket | Max CGI Instances | Minimum UID | Minimum GID | Force GID | umask | CGI Priority | CPU Soft Limit (sec) | CPU Hard Limit | Memory Soft Limit (bytes) | Memory Hard Limit (bytes) | Process Soft Limit | Process Hard Limit | cgroups
Enable reCAPTCHA | Site Key | Secret Key | reCAPTCHA Type | Max Tries | Allowed Robot Hits | Bot White List | Connection Limit | SSL Connection Limit
Bubblewrap Container | Bubblewrap Command | Namespace Container | Namespace Template File
Follow Symbolic Link⇑
Description
Specifies the server-level default setting of following symbolic links when serving static files.
Choices are Yes, If Owner Match and No.
Yes sets the server to always follow symbolic links. If Owner Match sets the server to follow a symbolic link only if the owner of the link and of the target are same. No means the server will never follow a symbolic link. This setting can be overridden in the virtual host configurations but cannot be overridden from an .htaccess file.
Syntax
Select from drop down list
Tips
For best security select No or If Owner Match. For best performance, select Yes.
See Also
Check Symbolic Link⇑
Description
Specifies whether to check symbolic links against Access Denied Directories when Follow Symbolic Link is turned on. If enabled, the canonical real path of the resource referred by a URL will be checked against the configurable access denied directories. Access will be denied if it falls inside an access denied directory.
Syntax
Select from radio box
Tips
For best security, enable this option. For best performance, disable it.
See Also
Force Strict Ownership Checking⇑
Description
Specifies whether to enforce strict file ownership checking. If it is enabled, the web server will check if the owner of the file being served is the same as the owner of the virtual host. If it is different, a 403 Access Denied Error will be returned. This is turned off by default.
Syntax
Select from radio box
Tips
For shared hosting, enable this check for better security.
Required Permission Mask⇑
Description
Specifies the required permission mask for static files that the server will serve. For example, if only files that are readable by everyone can be served, set the value to 0004. See man 2 stat for all values.
Syntax
octal numbers
See Also
Restricted Permission Mask⇑
Description
Specifies the restricted permission mask for static files that the server will not serve. For example, to prohibit serving files that are executable, set the mask to 0111.
See man 2 stat for all values.
Syntax
octal numbers
See Also
Script Restricted Permission Mask⇑
Description
Specifies the restricted permission mask for script files that the server will not serve. For example, to prohibit serving PHP scripts that are group and world writable, set the mask to 022. Default value is 000.
See man 2 stat for all values.
Syntax
octal numbers
See Also
Script Directory Restricted Permission Mask⇑
Description
Specifies the restricted permission mask of parent directories of script files that the server will not serve. For example, to prohibit serving PHP scripts in a directory that is group and world writable, set the mask to 022. Default value is 000. This option can be used to prevent serving scripts under a directory of uploaded files.
See man 2 stat for all values.
Syntax
octal numbers
See Also
Per Client Throttling⇑
Description
These are connection control settings are based on client IP. These settings help to mitigate DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks.
Static Requests/Second⇑
Description
Specifies the maximum number of requests to static content coming from a single IP address that can be processed in a single second regardless of the number of connections established.
When this limit is reached, all future requests are tar-pitted until the next second. Request limits for dynamically generated content are independent of this limit. Per-client request limits can be set at server- or virtual host-level. Virtual host-level settings override server-level settings.
Syntax
Integer number
Tips
Trusted IPs or sub-networks are not affected.
See Also
Dynamic Requests/Second⇑
Description
Specifies the maximum number of requests to dynamically generated content coming from a single IP address that can be processed in each second regardless of the number of connections established. When this limit is reached, all future requests to dynamic content are tar-pitted until the next second.
The request limit for static content is independent of this limit. This per client request limit can be set at server or virtual host level. Virtual host-level settings override server-level settings.
Syntax
Integer number
Tips
Trusted IPs or sub-networks are not restrained by this limit.
See Also
Outbound Bandwidth (bytes/sec)⇑
Description
The maximum allowed outgoing throughput to a single IP address, regardless of the number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 4KB units. Set to 0 to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at the server or virtual host level where virtual host level settings override server level settings.
Syntax
Integer number
Tips
Set the bandwidth in 8KB units for better performance.
Trusted IPs or sub-networks are not affected.
See Also
Inbound Bandwidth (bytes/sec)⇑
Description
The maximum allowed incoming throughput from a single IP address, regardless of the number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 1KB units. Set to 0 to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at the server or virtual host level where virtual host level settings override server level settings.
Syntax
Integer number
Tips
Trusted IPs or sub-networks are not affected.
See Also
Connection Soft Limit⇑
Description
Specifies the soft limit of concurrent connections allowed from one IP. This soft limit can be exceeded temporarily during Grace Period (sec) as long as the number is below the Connection Hard Limit, but Keep-Alive connections will be closed as soon as possible until the number of connections is lower than the limit. If number of connections is still over the limit after the Grace Period (sec), that IP will be blocked for the Banned Period (sec).
For example, if a page contains many small graphs, the browser may try to set up many connections at same time, especially for HTTP/1.0 clients. You would want to allow those connections for a short period.
HTTP/1.1 clients may also set up multiple connections to speed up downloading and SSL requires separate connections from non-SSL connections. Make sure the limit is set properly, as not to adversely affect normal service. The recommended limit is between 5 and 10.
Syntax
Integer number
Tips
A lower number will enable serving more distinct clients.
Trusted IPs or sub-networks are not affected.
Set to a high value when you are performing benchmark tests with a large number of concurrent client machines.
Connection Hard Limit⇑
Description
Specifies the maximum number of allowed concurrent connections from a single IP address. This limit is always enforced and a client will never be able to exceed this limit. HTTP/1.0 clients usually try to set up as many connections as they need to download embedded content at the same time. This limit should be set high enough so that HTTP/1.0 clients can still access the site. Use Connection Soft Limit to set the desired connection limit.
The recommended limit is between 20 and 50 depending on the content of your web page and your traffic load.
Syntax
Integer number
Tips
A lower number will enable serving more distinct clients.
Trusted IPs or sub-networks are not affected.
Set to a high value when you are performing benchmark tests with a large number of concurrent client machines.
Block Bad Request⇑
Description
Block IPs that keep sending badly-formatted HTTP requests for the Banned Period (sec). Default is Yes. This helps to block botnet attacks that repeatedly sending junk requests.
Syntax
Select from radio box
Grace Period (sec)⇑
Description
Specifies how long new connections can be accepted after the number of connections established from one IP is over the Connection Soft Limit. Within this period, new connections will be accepted if the total connections is still below the Connection Hard Limit. After this period has elapsed, if the number of connections still higher than the Connection Soft Limit, then the offending IP will be blocked for the Banned Period (sec).
Syntax
Integer number
Tips
Set to a proper number big enough for downloading a complete page but low enough to prevent deliberate attacks.
Banned Period (sec)⇑
Description
Specifies how long new connections will be rejected from an IP if, after the Grace Period (sec) has elapsed, the number of connections is still more than the Connection Soft Limit. If IPs are getting banned repeatedly, we suggest that you increase your banned period to stiffen the penalty for abuse.
Syntax
Integer number
CGI Settings⇑
Description
The following settings control CGI processes. Memory and process limits also serve as the default for other external applications if limits have not been set explicitly for those applications.
CGI Daemon Socket⇑
Description
A unique socket address used to communicate with the CGI daemon. LiteSpeed server uses a standalone CGI daemon to spawn CGI scripts for best performance and security. If you need to change this location, specify a Unix domain socket here.
Default value: uds://$SERVER_ROOT/admin/lscgid/.cgid.sock
Syntax
UDS://path
Example
Max CGI Instances⇑
Description
Specifies the maximum number of concurrent CGI processes the server can start. For each request to a CGI script, the server needs to start a standalone CGI process. On a Unix system, the number of concurrent processes is limited. Excessive concurrent processes will degrade the performance of the whole system and are one way to perform a DoS attack. LiteSpeed server pipelines requests to CGI scripts and limits concurrent CGI processes to ensure the optimal performance and reliability. The hard limit is 2000.
Syntax
Integer number
Tips
A higher limit does not necessarily translate to faster performance. In most cases, a lower limit gives better performance and security. A higher limit will only help when I/O latency is excessive during CGI processing.
Minimum UID⇑
Description
Specifies the minimum user ID allowed to run external applications when running as a specified user. Execution of an external script with a user ID lower than the value specified here will be denied.
Syntax
Integer number
Tips
Set it high enough to exclude all system/privileged users.
Minimum GID⇑
Description
Specifies the minimum group ID allowed to run external applications when running as a specified group. Execution of an external script with a group ID lower than the value specified here will be denied.
Syntax
Integer number
Tips
Set it high enough to exclude all groups used by system users.
Force GID⇑
Description
Specifies a group ID to be used for all external applications started in suEXEC mode. When set to non-zero value, all suEXEC external applications (CGI/FastCGI/LSAPI) will use this group ID. This can be used to prevent an external application from accessing files owned by other users.
For example, in a shared hosting environment, LiteSpeed runs as user "www-data", group "www-data". Each docroot is owned by a user account, with a group of "www-data" and permission mode 0750. If Force GID is set to "nogroup" (or any group other than 'www-data'), all suEXEC external applications will run as a particular user but in the group "nogroup". These external application processes will still be able to access files owned by that particular user (because of their user ID), but will not have group permission to access anyone else's files. The server, on the other hand, still can serve files under any user's docroot directory (because of its group ID).
Syntax
Integer number
Tips
Set it high enough to exclude all groups used by system users.
umask⇑
Description
Sets default umask for CGI processes. See man 2 umask for details. This also serves as the default value for external applications umask.
Syntax
value valid range [000]-[777].
See Also
ExtApp umask
CGI Priority⇑
Description
Specifies priority of the external application process. Value ranges from -20 to 20. A lower number means a higher priority.
A CGI process cannot have a higher priority than the web server. If this priority is set to a lower number than the server's, the server's priority will be used for this value.
Syntax
int
See Also
Server Priority
CPU Soft Limit (sec)⇑
Description
Specifies CPU consumption time limit in seconds for a CGI process. When the process reaches the soft limit, it will be notified by a signal. The operating system's default setting will be used if the value is absent or set to 0.
Syntax
Integer number
CPU Hard Limit⇑
Description
Specifies maximum CPU consumption time limit in seconds for a CGI process. If the process continues to consume CPU time and reach the hard limit, the process will be force killed. The operating system's default setting will be used if the value is absent or set to 0.
Syntax
Integer number
Memory Soft Limit (bytes)⇑
Description
Specifies the memory consumption limit in bytes for an external application process or an external application started by the server.
The main purpose of this limit is to prevent excessive memory usage because of software bugs or intentional attacks, not to impose a limit on normal usage. Make sure to leave enough head room, otherwise your application may fail and 503 error may be returned. It can be set at the server- level or at an individual external application level. The server-level limit will be used if it is not set at the individual application level.
The operating system's default setting will be used if the value is absent at both levels or set to 0.
Syntax
Integer number
Tips
Do not over adjust this limit. This may result in 503 errors if your application needs more memory.
Memory Hard Limit (bytes)⇑
Description
Much the same as Memory Soft Limit (bytes), except the soft limit can be raised up to the hard limit from within a user process. The hard limit can be set at server level or at an individual external application level. The server-level limit will be used if it is not set at an individual application level.
The operating system's default will be used if the value is absent at both levels or set to 0.
Syntax
Integer number
Tips
Do not over adjust this limit. This may result in 503 errors if your application need more memory.
Process Soft Limit⇑
Description
Limits the total number of processes that can be created on behalf of a user. All existing processes will be counted against this limit, not just new processes to be started.
The limit can be set at the server level or at an individual external application level. The server-level limit will be used if it is not set at an individual application level. The operating system's default setting will be used if this value is 0 or absent at both levels.
Syntax
Integer number
Tips
PHP scripts can call for forking processes. The main purpose of this limit is as a last line of defense to prevent fork bombs and other attacks caused by PHP processes creating other processes.
Setting this setting too low can severely hurt functionality. The setting will thus be ignored below certain levels.
When Run On Start Up is set to "Yes (Daemon mode)", the actual process limit will be higher than this setting to make sure parent processes are not limited.
Process Hard Limit⇑
Description
Much the same as Process Soft Limit, except the soft limit can be raised up to the hard limit from within a user process. The hard limit can be set at the server level or at an individual external application level. The server-level limit will be used if it is not set at an individual application level. The operating system's default value will be used if the value is absent at both levels or set to 0.
Syntax
Integer number
cgroups⇑
Description
A Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. You must be running cgroups v2 which is determined by the existence of the file /sys/fs/cgroup/cgroup.controllers.
Setting this to Disabled at the Server level will disable this setting server-wide. In all other cases, the Server level setting can be overridden at the Virtual Host level.
Default values:
Server level: Off
VH level: Inherit Server level setting
Syntax
Select from drop down list
reCAPTCHA Protection⇑
Description
reCAPTCHA Protection is a service provided as a way to mitigate heavy server load. reCAPTCHA Protection will activate after one of the below situations is hit. Once active, all requests by NON TRUSTED(as configured) clients will be redirected to a reCAPTCHA validation page. After validation, the client will be redirected to their desired page.
The following situations will activate reCAPTCHA Protection:
1. The server or vhost concurrent requests count passes the configured connection limit.
2. Anti-DDoS is enabled and a client is hitting a url in a suspicious manner. The client will redirect to reCAPTCHA first instead of getting denied when triggered.
3. A new rewrite rule environment is provided to activate reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to redirect clients to reCAPTCHA. A special value ': deny' can be set to deny the client if it failed too many times. For example, [E=verifycaptcha] will always redirect to reCAPTCHA until verified. [E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit, after which the client will be denied.
Enable reCAPTCHA⇑
Description
Enable the reCAPTCHA Protection feature at the current level. This setting must be set to Yes at the Server level before the reCAPTCHA Protection feature can be used.
Default values:
Server-level: Yes
VH-Level: Inherit Server level setting
Syntax
Select from radio box
Site Key⇑
Description
The site key is the public key provided by Google via its reCAPTCHA service. A default Site Key will be used if not set.
Secret Key⇑
Description
The secret key is the private key provided by Google via its reCAPTCHA service. A default Secret Key will be used if not set.
reCAPTCHA Type⇑
Description
Specify the reCAPTCHA type to use with the key pairs.
If a key pair has not been provided and this setting is set to Not Set, a default key pair of type Invisible will be used.
Checkbox will display a checkbox reCAPTCHA for the visitor to validate.
Invisible will attempt to validate the reCAPTCHA automatically and if successful, will redirect to the desired page.
hCaptcha can be used to support reCAPTCHA provider hCaptcha.
Default value is Invisible.
Syntax
Select from drop down list
Max Tries⇑
Description
Max Tries specifies the maximum number of reCAPTCHA attempts permitted before denying the visitor.
Default value is 3.
Syntax
Integer number
Allowed Robot Hits⇑
Description
Number of hits per 10 seconds to allow ‘good bots’ to pass. Bots will still be throttled when the server is under load.
Default value is 3.
Syntax
Integer number
Bot White List⇑
Description
List of custom user agents to allow access. Will be subject to the ‘good bots’ limitations, including allowedRobotHits.
Syntax
List of user agents, one per line. Regex is supported.
Connection Limit⇑
Description
The number of concurrent connections (SSL & non-SSL) needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent connections drop below this number.
Default value is 15000.
Syntax
Integer number
SSL Connection Limit⇑
Description
The number of concurrent SSL connections needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent connections drop below this number.
Default value is 10000.
Syntax
Integer number
Bubblewrap Container⇑
Description
Set to Enabled if you wish to start CGI processes (including PHP programs) in a bubblewrap sandbox. See https://wiki.archlinux.org/title/Bubblewrap for details on using bubblewrap. Bubblewrap must be installed on your system prior to using this setting.
This setting cannot be turned on at the Virtual Host level if set to "Disabled" at the Server level.
Default values:
Server level: Disabled
VH level: Inherit Server level setting
Syntax
Select from drop down list
Bubblewrap Command⇑
Description
The full bubblewrap use command, including the bubblewrap program itself. More on configuring this command can be found here: https://openlitespeed.org/kb/bubblewrap-in-openlitespeed/ . If not specified, the default command listed below will be used.
Default value: /bin/bwrap --ro-bind /usr /usr --ro-bind /lib /lib --ro-bind-try /lib64 /lib64 --ro-bind /bin /bin --ro-bind /sbin /sbin --dir /var --dir /tmp --proc /proc --symlink ../tmp var/tmp --dev /dev --ro-bind-try /etc/localtime /etc/localtime --ro-bind-try /etc/ld.so.cache /etc/ld.so.cache --ro-bind-try /etc/resolv.conf /etc/resolv.conf --ro-bind-try /etc/ssl /etc/ssl --ro-bind-try /etc/pki /etc/pki --ro-bind-try /etc/man_db.conf /etc/man_db.conf --ro-bind-try /home/$USER /home/$USER --bind-try /var/lib/mysql/mysql.sock /var/lib/mysql/mysql.sock --bind-try /home/mysql/mysql.sock /home/mysql/mysql.sock --bind-try /tmp/mysql.sock /tmp/mysql.sock --unshare-all --share-net --die-with-parent --dir /run/user/$UID ‘$PASSWD 65534’ ‘$GROUP 65534’
Namespace Container⇑
Description
Set to Enabled if you wish to start CGI processes (including PHP programs) in a namespace container sandbox. Only used when Bubblewrap Container is set to Disabled.
When not Disabled at the Server level, this settings value can be overridden at the Virtual Host level.
Default values:
Server level: Disabled
Virtual Host Level: Inherit Server level setting
Syntax
Select from drop down list
Namespace Template File⇑
Description
Path to an existing configuration file containing a list of directories to be mounted along with the methods used to mount them. When Namespace Container is set to Enabled and this value is not set, the following secure default configuration settings will be used:
$HOMEDIR/.lsns/tmp /tmp,tmp
/usr,ro-bind
/lib,ro-bind
/lib64,ro-bind-try
/bin,ro-bind
/sbin,ro-bind
/var,dir
/var/www,ro-bind-try
/proc,proc
../tmp var/tmp,symlink
/dev,dev
/etc/localtime,ro-bind-try
/etc/ld.so.cache,ro-bind-try
/etc/resolv.conf,ro-bind-try
/etc/ssl,ro-bind-try
/etc/pki,ro-bind-try
/etc/man_db.conf,ro-bind-try
/usr/local/bin/msmtp /etc/alternatives/mta,ro-bind-try
/usr/local/bin/msmtp /usr/sbin/exim,ro-bind-try
$HOMEDIR,bind-try
/var/lib/mysql/mysql.sock,bind-try
/home/mysql/mysql.sock,bind-try
/tmp/mysql.sock,bind-try
/run/mysqld/mysqld.sock,bind-try
/var/run/mysqld.sock,bind-try
/run/user/$UID,bind-try
$PASSWD
$GROUP
/etc/exim.jail/$USER.conf $HOMEDIR/.msmtprc,copy-try
/etc/php.ini,ro-bind-try
/etc/php-fpm.conf,ro-bind-try
/etc/php-fpm.d,ro-bind-try
/var/run,ro-bind-try
/var/lib,ro-bind-try
/etc/imunify360/user_config/,ro-bind-try
/etc/sysconfig/imunify360,ro-bind-try
/opt/plesk/php,ro-bind-try
/opt/alt,bind-try
/opt/cpanel,bind-try
/opt/psa,bind-try
/var/lib/php/sessions,bind-try
Syntax
An absolute path or a relative path to $SERVER_ROOT.
Access Denied Directories⇑
Description
Specifies directories that should be blocked from access. Add directories that contain sensitive data to this list to prevent accidentally exposing sensitive files to clients. Append a "*" to the path to include all sub-directories. If both Follow Symbolic Link and Check Symbolic Link are enabled, symbolic links will be checked against the denied directories.
Syntax
Comma-delimited list of directories
Tips
Of critical importance: This setting only prevents serving static files from these directories. This does not prevent exposure by external scripts such as PHP/Ruby/CGI.
Access Control⇑
Description
Specifies what sub networks and/or IP addresses can access the server. At the server level, this setting will affect all virtual hosts. You can also set up access control unique to each virtual host at the virtual host level. Virtual host level settings will NOT override server level settings.
Blocking/Allowing an IP is determined by the combination of the allowed list and the denied list. If you want to block only certain IPs or sub-networks, put * or ALL in the Allowed List and list the blocked IPs or sub-networks in the Denied List. If you want to allow only certain IPs or sub-networks, put * or ALL in the Denied List and list the allowed IPs or sub-networks in the Allowed List. The setting of the smallest scope that fits for an IP will be used to determine access.
Server Level: Trusted IPs or sub-networks must be specified in the Allowed List by adding a trailing "T". Trusted IPs or sub-networks are not affected by connection/throttling limits. Only server level access control can set up trusted IPs/sub-networks.
Tips
Use this at the server level for general restrictions that apply to all virtual hosts.
Allowed List⇑
Description
Specifies the list of IPs or sub-networks allowed. * or ALL are accepted.
Syntax
Comma delimited list of IP addresses or sub-networks. A trailing "T" can be used to indicate a trusted IP or sub-network, such as 192.168.1.*T.
Example
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64
Tips
Trusted IPs or sub-networks set at the server level access control will be excluded from connection/throttling limits.
Denied List⇑
Description
Specifies the list of IPs or sub-networks disallowed.
Syntax
Comma delimited list of IP addresses or sub-networks. * or ALL are accepted.
Example
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64